Collector #572: WebDAV GET protected by 'FTP Access' permission.

Two new methods have been added to WebDAV resources, "manage_DAVget"
and "listDAVObjects". These are now used by WebDAV instead of the
earlier "manage_FTPget" and "objectValues". This separates the
permissions, and allows WebDAV specific overriding of these methods.

doc/CHANGES.txt

@@ -15,6 +15,11 @@ Zope Changes
        (such as storages, databases, or logging handlers) to be used.
 
     Bugs fixed
+     - Collector #572: WebDAV GET protected by 'FTP Access' permission.
+       Two new methods have been added to WebDAV resources, "manage_DAVget"
+       and "listDAVObjects". These are now used by WebDAV instead of the
+       earlier "manage_FTPget" and "objectValues". This separates the
+       permissions, and allows WebDAV specific overriding of these methods.
 
      - Collector #904: Platform specific signals in zdaemon/Daemon.py
        (fixed by removing the "fossil" module from 2.7 branch and head).

lib/python/ZServer/HTTPServer.py

@@ -244,7 +244,7 @@ class zhttp_handler:
         if self._wdav_client_reg(agent):
             env['WEBDAV_SOURCE_PORT'] = 1
             path_info = env['PATH_INFO']
-            path_info = posixpath.join(path_info, 'manage_FTPget')
+            path_info = posixpath.join(path_info, 'manage_DAVget')
             path_info = posixpath.normpath(path_info)
             env['PATH_INFO'] = path_info
 

lib/python/webdav/Collection.py

@@ -13,7 +13,7 @@
 
 """WebDAV support - collection objects."""
 
-__version__='$Revision: 1.24 $'[11:-2]
+__version__='$Revision: 1.25 $'[11:-2]
 
 import sys, os,  Globals, davcmds, Lockable,re
 from common import urlfix, rfc1123_date
@@ -127,5 +127,13 @@ class Collection(Resource):
 
         return RESPONSE
 
+    def listDAVObjects(self):
+        objectValues = getattr(self, 'objectValues', None)
+        if objectValues is not None:
+            return objectValues()
+        return []
+        
+
+
 
 Globals.default__class_init__(Collection)

lib/python/webdav/Resource.py

@@ -13,7 +13,7 @@
 
 """WebDAV support - resource objects."""
 
-__version__='$Revision: 1.55 $'[11:-2]
+__version__='$Revision: 1.56 $'[11:-2]
 
 import sys, os,  mimetypes, davcmds, ExtensionClass, Lockable
 from common import absattr, aq_base, urlfix, rfc1123_date, tokenFinder, urlbase
@@ -42,7 +42,8 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
 
     __ac_permissions__=(
         ('View',                             ('HEAD',)),
-        ('WebDAV access',                    ('PROPFIND',),
+        ('WebDAV access',                    ('PROPFIND', 'manage_DAVget',
+                                              'listDAVObjects'),
          ('Authenticated', 'Manager')),
         ('Manage properties',                ('PROPPATCH',)),
         ('Delete objects',                   ('DELETE',)),
@@ -550,4 +551,11 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
         return RESPONSE
 
 
+    def manage_DAVget(self):
+        return self.manage_FTPget(self)
+
+    def listDAVObjects(self):
+        return []
+
+        
 Globals.default__class_init__(Resource)

lib/python/webdav/davcmds.py

@@ -13,7 +13,7 @@
 
 """WebDAV xml request objects."""
 
-__version__='$Revision: 1.20 $'[11:-2]
+__version__='$Revision: 1.21 $'[11:-2]
 
 import sys, os
 from common import absattr, aq_base, urlfix, urlbase
@@ -141,7 +141,7 @@ class PropFind:
         else: raise 'Bad Request', 'Invalid request'
         result.write('</d:response>\n')
         if depth in ('1', 'infinity') and iscol:
-            for ob in obj.objectValues():
+            for ob in obj.listDAVObjects():
                 if hasattr(ob,"meta_type"):
                     if ob.meta_type=="Broken Because Product is Gone": continue
                 dflag=hasattr(ob, '_p_changed') and (ob._p_changed == None)